Incident response investigations are not living in the magical future Hollywood promised. Instead, when an incident comes up, understanding it generally still means searching through logs and jumping through different tool UI panels. Most likely, with notepad open. This talk shares our experiences in increasing leverage in the active investigation process through visual playbook automation and visual graph analysis.
We'۪ll focuses on initial high-leverage application of these ideas within IR. Visual graph analysis simplifies answering questions around incident scope, progression, correlations, and outliers. Visual playbooks solve how to quickly and reliably gather data around an incident and present it in an interpretable and actionable manner. We'll show how to combine these ideas to improve handling of malware, phishing, audits, and other common IR investigation tasks. Throughout, we'll demonstrate how to achieve these results by connecting traditional Splunk/ELK/Hadoop/graph stacks to Graphistry for query generation and data visualization.